Configure Automated Device Enrollment for your Organization<\/h2>\n\n\n\n\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to DEVICE MANAGEMENT<\/strong> > MDM<\/strong>.<\/li>\n\n\n\n
- On the MDM home page, click get started<\/strong> under Automated Device Enrollment Configuration<\/strong>.<\/li>\n\n\n\n
- \u200b\u200b\u200bIn Set Up Apple\u2019s Automated Device Enrollment<\/strong>, click download <\/strong>under Generate a Key<\/strong>. JumpCloud downloads a certificate that contains a key. Apple uses this to encrypt the Automated Device Enrollment token.<\/li>\n\n\n\n
- Under Sign in to Apple<\/strong>, click sign into Apple Business Manager<\/strong> and enter your credentials. If you have an education account, click sign into Apple School Manager<\/strong>.<\/li>\n\n\n\n
- Add your MDM server:<\/li>\n\n\n\n
- Select your profile name, then select Preferences<\/strong>.<\/li>\n\n\n\n
- Select MDM Server Assignment<\/strong>, then click Add MDM Server<\/strong>.<\/li>\n\n\n\n
- Enter a name for your company\u2019s MDM server and leave Allow this MDM Server to release devices<\/strong> selected.<\/li>\n\n\n\n
- Click Choose File<\/strong>.<\/li>\n\n\n\n
- Locate the jumpcloud-dep.pem file downloaded in Step 4, select it, and click Open<\/strong>.<\/li>\n\n\n\n
- Click Save<\/strong>.<\/li>\n\n\n\n
- Download the token by selecting the server and clicking Download Token<\/strong>, then clicking Download Server Token<\/strong>.<\/li>\n\n\n\n
- In the Admin Portal, go to Set Up Apple\u2019s Automated Device Enrollment<\/strong> and under Upload Automated Device Enrollment Token<\/strong>, install the new token by clicking Browse <\/strong>or dragging and dropping the server token for your MDM server. <\/li>\n\n\n\n
- Click complete setup<\/strong>.<\/li>\n<\/ol>\n\n\n\n
See the Getting Started Guide for Apple Business Manager<\/a> to learn more about Apple\u2019s Automated Device Enrollment. <\/p>\n\n\n\nAdd the Device to the MDM Server<\/h2>\n\n\n\n\n- Log in to Apple Business Manager (ABM) or Apple School Manager (ASM).<\/li>\n\n\n\n
- Click Devices <\/strong>and select your device. You may want to search for it by serial number.<\/li>\n\n\n\n
- Click Edit MDM Server<\/strong>.<\/li>\n\n\n\n
- Select Assign to the following MDM<\/strong> and choose your MDM server from the list.<\/li>\n\n\n\n
- Click Continue<\/strong>, then click Confirm<\/strong>. <\/li>\n\n\n\n
- Verify that the device was added to your MDM server.<\/li>\n<\/ol>\n\n\n\n
The sync process between Apple and JumpCloud ensures the device will contact JumpCloud\u2019s MDM server on first boot to enroll in MDM.<\/p>\n\n\n\n
Sync the Device to JumpCloud<\/h2>\n\n\n\n![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\")
<\/p><\/div>
Tip:<\/strong> \nPerform these steps every time you add new devices in ABM or ASM.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to DEVICE MANAGEMENT<\/strong> > MDM<\/strong>.<\/li>\n\n\n\n
- On the MDM home tab, click sync with Apple<\/strong> under Automated Device Enrollment Devices<\/strong> to ensure that your list of JumpCloud Automated Device Enrollment devices matches what is in ABM or ASM.<\/li>\n<\/ol>\n\n\n\n
From here, you can configure your end users’ experience on company-owned Apple devices from day one. For macOS users, see Configure your macOS users’ zero-touch experience<\/a>. For iOS users, see Configure your iOS users’ zero-touch experience<\/a>.<\/p>\n\n\n\nConfigure your End Users’ Experience<\/h2>\n\n\n\n
Configure your macOS users’ zero-touch experience<\/strong>:<\/p>\n\n\n\n\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to DEVICE MANAGEMENT<\/strong> > MDM<\/strong>.<\/li>\n\n\n\n
- On the Apple<\/strong> tab, under Automated Device Enrollment Configuration<\/strong>, click Configure MacOS<\/strong> to configure your zero-touch experience.<\/li>\n\n\n\n
- Configure the Default Group Association<\/strong>. \n
\n- Select the JumpCloud device group to automatically bind this device to. Default device groups can use a policy to ensure that all devices enrolling in Automated Device Enrollment get the security and compliance levels applied immediately during enrollment.\n
\n\n- None <\/strong>– This device won\u2019t be bound to a device group.<\/li>\n\n\n
- An existing group<\/strong>\u00a0– Select a macOS group that you’ve already created.<\/li>\n\n\n
- Create<\/strong> New group<\/strong>\u00a0– Click\u00a0Create New Group<\/strong>\u00a0to add a new device group and then return here to bind the device to it.<\/li>\n\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>
Note:<\/strong> \nIf the default device group you select is configured to update group membership dynamically, ensure that the group’s membership rules are compatible with the devices you’re expecting to auto-enroll. See Configure Dynamic Device Groups<\/a> to learn more.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<\/p><\/div>
Tip:<\/strong> \nVerify that you\u2019ve included all the policies you want for the device group. Do not include the JumpCloud MDM Enrollment policy, as this is already implemented during automated enrollment.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
\n- Configure the Welcome Screen<\/strong> details, such as title, description, button name, and logo that your users see:\n
\n- Screen Title<\/strong> – Update the title of the Welcome screen.<\/li>\n\n\n\n
- Description <\/strong>– Add critical information to the Welcome screen.<\/li>\n\n\n\n
- Button <\/strong>– Type a new name for the button. The default is continue<\/strong>. <\/li>\n\n\n\n
- Logo <\/strong>– Add your logo to the Welcome screen by going to Settings<\/strong>, selecting Organization Profile<\/strong>, and uploading it there.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Configure the Setup Assistant Settings<\/strong>. Select the screens that you do not<\/strong> want your users to see during account configuration. Controlling what users see can help you troubleshoot any onboarding issues:\n
\n- Select all<\/strong> – None of these screens show during account configuration.<\/li>\n\n\n\n
- Select a screen<\/strong> – Select a specific screen to exclude it during account configuration:\n
\n- Skip Accessibility setup – macOS 11+<\/li>\n\n\n\n
- Skip Analytics<\/li>\n\n\n\n
- Skip Apple Pay setup<\/li>\n\n\n\n
- Skip Privacy Consent screen<\/li>\n\n\n\n
- Skip restoring from backup<\/li>\n\n\n\n
- Skip Screen Time screen<\/li>\n\n\n\n
- Skip Siri setup<\/li>\n\n\n\n
- Skip iCloud Analytics<\/li>\n\n\n\n
- Skip Unlock Your Mac with Apple Watch – macOS 12+<\/li>\n\n\n\n
- Skip Apple Intelligence setup – macOS 15+<\/li>\n\n\n\n
- Skip Wallpaper setup – macOS 14.1+<\/li>\n\n\n\n
- Skip iCloud Documents and Desktop setup<\/li>\n\n\n\n
- Skip Location Services setup<\/li>\n\n\n\n
- Skip Appearance setup<\/li>\n\n\n\n
- Skip Apple ID sign-in<\/li>\n\n\n\n
- Skip Touch ID setup<\/li>\n\n\n\n
- Skip DisplayTone setup<\/li>\n\n\n\n
- Skip manual FileVault setup<\/li>\n\n\n\n
- Skip Terms and Conditions<\/li>\n\n\n\n
- Skip Lockdown Mode setup – macOS 14+<\/li>\n\n\n\n
- Skip Terms of Address setup – macOS 13+<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Under User authentication<\/strong>, select Enable <\/strong>to turn on User authentication, which requires users to authenticate during Automated Device Enrollment. A successful macOS authentication automatically binds the user’s JumpCloud account to the device with Sudo Admin permissions. If users aren\u2019t prompted to authenticate when they power up their devices, you didn\u2019t enable user authentication here.<\/li>\n<\/ol>\n\n\n\n
<\/p><\/div>
Tip:<\/strong> \nAfter the macOS user authenticates, you can change the user’s permissions to remove Sudo Admin permissions. See Set Admin\/Sudo Permissions<\/a> to learn more.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n\n- Click save<\/strong>.<\/li>\n\n\n\n
- You can require users to change a password when authenticating during Automated Device Enrollment:\n
\n- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n\n\n\n
- Select the checkbox for one user or select all users, then click more actions<\/strong>.<\/li>\n\n\n\n
- Choose Force Password Change<\/strong>. The user must reset the password when authenticating during Automated Device Enrollment.<\/li>\n\n\n\n
- Click force change<\/strong>. <\/li>\n<\/ol>\n<\/li>\n\n\n\n
- After the user authenticates, verify that the user was automatically bound to the macOS device and has Sudo permissions:\n
\n- Go to DEVICE MANAGEMENT<\/strong> > Devices<\/strong>.<\/li>\n\n\n\n
- Select the device and select the Users <\/strong>tab.<\/li>\n\n\n\n
- Verify that the correct user appears as an Admin with Sudo permissions on the device. Each macOS device requires at least one admin account per device as part of MDM enrollment. <\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n
To see a simulation of what your macOS user will see when they open the box to log into their new device, see our simulations linked in Additional Resources<\/a> below.<\/p>\n\n\n\n<\/p><\/div>
Note:<\/strong> The actual screens might be slightly different depending on the screens that you chose when you customized the zero-touch settings.<\/p><\/div><\/div><\/div>\n\n\n\nIf an unsupported macOS device is assigned to the JumpCloud MDM server in ABM, it will attempt to install the agent, which will generate an error and cause the device to hang at the install screen. The device will need to have the JumpCloud MDM server unassigned in ABM. This can be done by removing the JumpCloud MDM server from the Default Device Assignment under Device Management Settings or by changing the Device Management settings for the individual device.<\/p>\n\n\n\n
Configure your iOS users’ zero-touch experience<\/h3>\n\n\n\n\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to DEVICE MANAGEMENT<\/strong> > MDM<\/strong>.<\/li>\n\n\n\n
- Under Automated Device Enrollment Configuration<\/strong> in the MDM home tab, click configure iOS and iPadOS<\/strong> to configure your zero-touch experience.<\/li>\n\n\n\n
- Select a JumpCloud iOS device group to automatically bind to this device. Default device groups can use a policy to ensure that all devices enrolling in Automated Device Enrollment get the security and compliance levels applied immediately during enrollment.\n
\n\n- None <\/strong>– This device won\u2019t be assigned to a device group.<\/li>\n\n\n
- An existing group<\/strong> – Select an iOS device group that you already created.<\/li>\n\n\n
- New group<\/strong> – Click Create New Group<\/strong> to add a new group and then return here to bind the group to the device.<\/li>\n\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
<\/p><\/div>
Tip:<\/strong> \nVerify that you\u2019ve included all the policies you want for the device group. Do not include the JumpCloud MDM Enrollment policy, as this is already implemented during automated enrollment.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
\n- Customize the Welcome screen title, description, and button name that your users see:\n
\n\n- Screen Title<\/strong> – Update the title of the Welcome screen.<\/li>\n\n\n
- Description <\/strong>– Add critical information to the Welcome screen.<\/li>\n\n\n
- Button <\/strong>– Type a new name for the button. The default is continue<\/strong>.<\/li>\n\n\n
- Logo <\/strong>– Add your logo to the Welcome screen by going to Settings, selecting Organization Profile, and uploading your logo.<\/li>\n\n<\/ul>\n<\/li>\n\n\n\n
- Select the screens that you do not want your iOS users to see during device configuration. Controlling what users see can help you troubleshoot any issues:\n
\n\n- Select all <\/strong>– None of these screens show during device configuration.<\/li>\n\n\n
- Select a screen<\/strong> – Select the screens to exclude during configuration.<\/li>\n\n<\/ul>\n<\/li>\n\n\n\n
- Select Enable <\/strong>to turn on User authentication, which requires users to authenticate during Automated Device Enrollment. A successful iOS authentication automatically assigns the JumpCloud user to the device. If users aren\u2019t prompted to authenticate when they power up their devices, you did not enable user authentication here.<\/li>\n\n\n\n
- Click save<\/strong>.<\/li>\n\n\n\n
- To increase device security, you can require users to change their password when authenticating during Automated Device Enrollment:\n
\n\n- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n\n\n
- Select the checkbox for one user or select all users, then click more actions<\/strong>.<\/li>\n\n\n
- Choose Force Password Change<\/strong>. The user must reset the password when authenticating during Automated Device Enrollment.<\/li>\n\n\n
- Click force change<\/strong>. <\/li>\n\n<\/ul>\n<\/li>\n\n\n\n
- After the user authenticates, verify that the user is assigned to the device and that the device appears in the Devices list.\n
\n\n- Go to DEVICE MANAGEMENT<\/strong> > Devices<\/strong>.<\/li>\n\n\n
- Select Devices<\/strong>, select the device, then select Users<\/strong>.<\/li>\n\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
Default Password Sync<\/h2>\n\n\n\n
By default, any new users associated to devices have their JumpCloud password synced to their device password. Toggle this Off<\/strong> to disable password sync and have users enter a local password to log into their device instead. See Device Password Sync<\/a> to learn more. <\/p>\n\n\n\nRenew Your Automated Device Enrollment Token Annually<\/h2>\n\n\n\n
You need to renew Apple\u2019s Automated Device Enrollment server token every year to continue enrolling new devices with Automated Device Enrollment. Your token expiration date is visible in the MDM home page under Automated Device Enrollment Configuration.<\/p>\n\n\n\n
See the Getting Started Guide for Apple Business Manager<\/a> to learn more about Apple\u2019s Automated Device Enrollment. <\/p>\n\n\n\n The sync process between Apple and JumpCloud ensures the device will contact JumpCloud\u2019s MDM server on first boot to enroll in MDM.<\/p>\n\n\n\n Perform these steps every time you add new devices in ABM or ASM.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n From here, you can configure your end users’ experience on company-owned Apple devices from day one. For macOS users, see Configure your macOS users’ zero-touch experience<\/a>. For iOS users, see Configure your iOS users’ zero-touch experience<\/a>.<\/p>\n\n\n\n Configure your macOS users’ zero-touch experience<\/strong>:<\/p>\n\n\n\n If the default device group you select is configured to update group membership dynamically, ensure that the group’s membership rules are compatible with the devices you’re expecting to auto-enroll. See Configure Dynamic Device Groups<\/a> to learn more.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n Verify that you\u2019ve included all the policies you want for the device group. Do not include the JumpCloud MDM Enrollment policy, as this is already implemented during automated enrollment.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n After the macOS user authenticates, you can change the user’s permissions to remove Sudo Admin permissions. See Set Admin\/Sudo Permissions<\/a> to learn more.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n To see a simulation of what your macOS user will see when they open the box to log into their new device, see our simulations linked in Additional Resources<\/a> below.<\/p>\n\n\n\n Note:<\/strong> The actual screens might be slightly different depending on the screens that you chose when you customized the zero-touch settings.<\/p><\/div><\/div><\/div>\n\n\n\n If an unsupported macOS device is assigned to the JumpCloud MDM server in ABM, it will attempt to install the agent, which will generate an error and cause the device to hang at the install screen. The device will need to have the JumpCloud MDM server unassigned in ABM. This can be done by removing the JumpCloud MDM server from the Default Device Assignment under Device Management Settings or by changing the Device Management settings for the individual device.<\/p>\n\n\n\n Verify that you\u2019ve included all the policies you want for the device group. Do not include the JumpCloud MDM Enrollment policy, as this is already implemented during automated enrollment.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n By default, any new users associated to devices have their JumpCloud password synced to their device password. Toggle this Off<\/strong> to disable password sync and have users enter a local password to log into their device instead. See Device Password Sync<\/a> to learn more. <\/p>\n\n\n\n You need to renew Apple\u2019s Automated Device Enrollment server token every year to continue enrolling new devices with Automated Device Enrollment. Your token expiration date is visible in the MDM home page under Automated Device Enrollment Configuration.<\/p>\n\n\n\nAdd the Device to the MDM Server<\/h2>\n\n\n\n
\n
Sync the Device to JumpCloud<\/h2>\n\n\n\n
<\/p><\/div>\n
Configure your End Users’ Experience<\/h2>\n\n\n\n
\n
\n
\n\n
<\/p><\/div><\/p><\/div>\n
\n
\n
\n
<\/p><\/div>\n
\n
\n
<\/p><\/div>Configure your iOS users’ zero-touch experience<\/h3>\n\n\n\n
\n
\n\n
<\/p><\/div>\n
\n\n
\n\n
\n\n
\n\n
Default Password Sync<\/h2>\n\n\n\n
Renew Your Automated Device Enrollment Token Annually<\/h2>\n\n\n\n